[regexp] Fix potential overflow on 32-bit builds

pthier · V8 LUCI CQ · commit 05f9ca4e222f · 2025-10-08T22:32:44.000-07:00
In RegExpMatchGlobalAtom_OneCharPattern, if subject is allocated at a high address, it is possible that `block + stride * max_count` overflows on 32-bit builds on a 64-bit platform. Fix this by comparing `stride * max_count` against the remaining length. Fixed: 449767585 Change-Id: I6a7be4064f53a2282b98c6a1f342e1b646d29b71 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7021933 Auto-Submit: Patrick Thier <pthier@chromium.org> Reviewed-by: Jakob Linke <jgruber@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#103009}
diff --git a/src/runtime/runtime-regexp.cc b/src/runtime/runtime-regexp.cc
@@ -2200,7 +2200,7 @@ inline void RegExpMatchGlobalAtom_OneCharPattern(
   // the maximum number of matches we can count in the vector before it
   // overflows.
   int max_count = std::numeric_limits<SChar>::max();
-  while (block + stride * max_count <= end) {
+  while (stride * max_count <= static_cast<size_t>(end - block)) {
     for (int i = 0; i < max_count; i++, block += stride) {
       const auto input = hw::LoadU(tag, block);
       // TODO(floitsch): use an operator for the comparison when it is available
@@ -2224,7 +2224,7 @@ inline void RegExpMatchGlobalAtom_OneCharPattern(
   // For blocks shorter than stride * max_count, lanes in submatches can't
   // overflow.
   DCHECK_LT(end - block, stride * max_count);
-  for (; block + stride <= end; block += stride) {
+  for (; stride <= static_cast<size_t>(end - block); block += stride) {
     const auto input = hw::LoadU(tag, block);
     // TODO(floitsch): use an operator for the comparison when it is available
     // on RISC-V.
